Authentication

[ohnoezlennydied]

After reviewing the Official API documentation, it appears that there is currently no authentication implemented. I am very interested in knowing if there are any plans for authentication or if it is possible to report this to APSystems.

[SonnenladenGmbH]

The current implementation of the local API does not incorporate authentication measures. This decision was based on the understanding that gaining access to your local network would be a prerequisite for any potential attack, thus adding a layer of inherent security.

However, in contrast, the cloud API from the API system employs robust authentication protocols, utilizing advanced encryption algorithms. This enhanced security is deemed essential, recognizing the increased vulnerability and the broader range of potential threats associated with cloud-based services.

[ohnoezlennydied]

In my option trusting every user or device by default is no good behavior. It would be nice to follow the zero trust concept. Also not every wifi is secured by default.

In the first step it would be nice to have a basic http authentication.

As further steps there can be a transport encryption like TLS.

[mawoka-myblock]

I see this as unnecessary, as the device is intended for home use and people who have an unencrypted WiFi network, well... And if you don't want that, just go for the cloud API.

[NeoFromMatrix]

Even in home use; People allow friends and family into their network. Meaning a couple of devices which are not unser the Network administrators control. There may be a couple other IoT devices with questionable firmware update status. Devices may get compromised over time.

From a security standpoint, networks should be treated as untrusted. Separate authentication should be used, especially when parameters can be changed. You do not want a single compromized device taking over your whole network. If you take a look at the other devices, smart lighting like the Philips Hue System, routers..., pretty much all allow you to set up some kind of authentication.

This could also be an feature which can be disabled in the app if you want an unauthenticated option.

[mawoka-myblock]

We can't do much on this end. Maybe try to contact APsystems to suggest this feature. When they see that many are interested, they may do something about it.